CVE-2026-21695 is a Mass Assignment vulnerability identified in the open-source project time tracking software Titra, specifically in versions prior to 0.99.50. The vulnerability stems from improper control over dynamically-determined object attributes (CWE-915) within an API endpoint that accepts a customfields parameter. This parameter is expected to be an Object, and while its type is validated, the keys within the object are not restricted or validated. The API uses the JavaScript spread operator to merge the customfields object directly into the database document representing a time entry. Because of this, an authenticated attacker can inject arbitrary fields, including protected fields such as userId, hours, and state, effectively bypassing business logic controls designed to prevent unauthorized modifications. This can allow attackers to manipulate time tracking records, potentially altering hours logged or ownership of entries. The vulnerability requires the attacker to be authenticated but does not require additional user interaction. The CVSS v3.1 score is 4.3 (medium severity), reflecting the limited impact on confidentiality and availability but a notable impact on data integrity. No known exploits are reported in the wild as of the publication date. The vulnerability is resolved in Titra version 0.99.50 by implementing proper validation and restriction of keys allowed within the customfields object before merging.

For European organizations using Titra versions below 0.99.50, this vulnerability poses a risk to the integrity of time tracking data. Attackers with valid credentials can manipulate critical fields such as userId and hours, potentially leading to fraudulent time reporting, payroll errors, or unauthorized access to resources tied to time entries. This can undermine trust in internal controls and compliance with labor regulations. While confidentiality and availability are not directly impacted, the integrity compromise can have financial and operational consequences. Organizations relying on Titra for billing, project management, or workforce tracking may experience data corruption or manipulation, affecting audits and reporting accuracy. The requirement for authentication limits exposure to insider threats or compromised accounts but does not eliminate risk. Given the open-source nature of Titra, organizations customizing or self-hosting the software may be particularly vulnerable if patches are not applied promptly.

European organizations should immediately upgrade Titra installations to version 0.99.50 or later, where the vulnerability is fixed. Until upgrading is possible, implement strict server-side validation to whitelist allowed keys within the customfields parameter, rejecting any unexpected or protected fields. Employ role-based access controls to limit which authenticated users can modify time entries and monitor logs for unusual changes to critical fields such as userId, hours, and state. Conduct regular audits of time tracking data to detect anomalies indicative of exploitation. Additionally, enforce strong authentication mechanisms and monitor for compromised credentials to reduce the risk of insider or external attackers gaining access. If feasible, isolate Titra instances within secure network segments and apply application-layer firewalls to detect and block suspicious API requests. Finally, educate users and administrators about the importance of timely patching and secure configuration management for open-source software.